1. Field of the Invention
The invention generally relates to telecommunications. More specifically, the invention relates to Proxy Mobile IP and Client Mobile IP Binding Update authentication or location update message authentication, by using security key derivation.
2. Description of the Related Art
In mobile systems security is an essential issue in network and mobile terminal functionalities. Because mobile terminals may roam freely in different networks, it is necessary to establish trusted relationships between the mobile terminals and the networks, which are currently serving the mobile terminals. The trusted relationship requires that the mobile terminal and the visited network have performed mutual authentication and that they are prepared to use data encryption and integrity protection. As a mobile terminal roams in different networks there may arise a need to establish a security association from the mobile terminal to a gateway, which provides access to a network already trusted by the mobile terminal. The network that is already trusted, may be a corporate Intranet, for instance. The network that is trusted may also be an Internet segment via which it is possible to establish a trusted connection to a remote client or a remote network, which again may be a corporate Intranet, for instance.
The establishment of Security Associations between two hosts, between a host and a security gateway or between two security gateways is discussed in the Internet Engineering Task Force (IETF) IP security architecture standard (IPsec). Issues and proposals relating to the Internet technologies are available in Request for Comments (RFC) documents. Some of the proposals available as RFC documents are adopted in the eventual standards.
Document Gundavelli et al.: ‘Proxy Mobile IPv6’, MIP6 Working Group, Oct. 16, 2006, discloses issues in Proxy Mobile IPv6 protocol operation. Gundavelli focuses to a network-based mobility management by handling message formats, Home Agent's and Proxy Mobile Agent's tasks and messaging between these functional elements. Furthermore, AAA (Authentication, Authorization and Accounting) protocol and Binding Updates (BU) as location update messages for the user terminals are discussed. Known AAA protocols are ‘RADIUS’ (Remote Authentication Dial In User Service) and its upgraded version ‘DIAMETER’, for example.
Generally, TMSI (Temporary Mobile Subscriber Identity) describes identity data for a specific mobile terminal in a specific location of the network. The network is able to change the TMSI if this is for some reason desired. The most common use for the TMSI data is the paging of the terminal. Generally in GPRS systems, P-TMSI (Packet TMSI) is allocated for confidential identification of the terminal for services provided through a SGSN (Serving GPRS Support Node) P-TMSI consists of 32 bits.
In LTE (Long Term Evolution) specifications, S-TMSI corresponds to the P-TMSI. In this case, S-TMSI is a temporary identity for a terminal which is provided from the user equipment to a MME (Mobility Management Element).
A mobile node's current location while the mobile is away from its home network, can be described with a care-of address, which is a globally routable address. The home address of the mobile node is a permanent IP address as with any kinds of nodes connected to the network. The association of the mobile node's home address with the care-of address, along with the remaining lifetime of that association, is known as a binding.
Furthermore, mobile station's identity is presented to the network in the form of a Network Access Identifier (NAI) as a part of the access authentication procedure. After a successful authentication, the proxy mobile agent will have the profile of the mobile station.
A Home Agent (HA) maintains a record of the current binding of the mobile node, when the terminal is away from its home network. There are two new Ipv6 destination options for allowing the HA of the mobile node and correspondent nodes learn and cache the binding for the mobile node. After configuring a new care-of address, the mobile node must send a Binding Update (BU), which contains that care-of address and which is sent to the HA. The BU might also be sent to other correspondent nodes if out-of-date care-of address data is present in their binding cache. Receipt of the Binding Update is confirmed by sending a Binding Acknowledgement in return.
Home network also includes a Home AAA Server (AAAH) which is able to check credentials originating from mobile nodes administered by that home network. The AAAH thus provides authentication of the user terminals. Furthermore in prior art, the AAAH provides the security keys for authenticating the Binding Updates.
The problem in the prior art is that the request for key and its response message must be submitted from the HA to the AAAH server each time when a new terminal connects to the network. The problem is finding a way of getting rid of these two messages between the HA and the AAAH. Thus, in the prior art, the update message (such as the Binding Update) authentication is not performed in the most simple nor the quickest available manner.